b'     Department of Homeland Security\n\n     2I\xc3\x80FH\x03RI\x03,QVSHFWRU\x03*HQHUDO\n\n\n Information Technology Management Letter for the \n\n     FY 2013 Department of Homeland Security\xe2\x80\x99s \n\n             Financial Statement Audit\n\n\n\n\n\nOIG-14-94                                  May 2014\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                                 Washington, DC 20528 / www.oig.dhs.gov\n\n\n\x03\n\x03   \x03    \x03      \x03            \x03           May\x0316,\x032014\x03\n\x03\nMEMORANDUM\x03FOR:\x03\x03            Luke\x03McCormack\x03\n                             Chief\x03Information\x03Officer\x03\n\x03\n                             The\x03Honorable\x03Chip\x03Fulghum\x03\n                             Acting\x03Chief\x03Financial\x03Officer\x03\n\x03\nFROM:\x03                       Richard\x03Harsche\x03\n                             Acting\x03Assistant\x03Inspector\x03General\x03\n                             Office\x03of\x03Information\x03Technology\x03Audits\x03\n\x03\nSUBJECT:\x03\t                   Information\x03Technology\x03Management\x03Letter\x03for\x03the\x03FY\x03\n                             2013\x03Department\x03of\x03Homeland\x03Security\xe2\x80\x99s\x03Financial\x03\n                             Statement\x03Audit\x03\n\x03\nAttached\x03for\x03your\x03information\x03is\x03our\x03final\x03report,\x03Information\x03Technology\x03Management\x03\nLetter\x03for\x03the\x03FY\x032013\x03Department\x03of\x03Homeland\x03Security\xe2\x80\x99s\x03Financial\x03Statement\x03Audit.\x03\nThis\x03report\x03contains\x03comments\x03and\x03recommendations\x03related\x03to\x03information\x03\ntechnology\x03internal\x03control\x03deficiencies\x03that\x03were\x03not\x03required\x03to\x03be\x03reported\x03in\x03the\x03\nIndependent\x03Auditors\xe2\x80\x99\x03Report.\x03\x03\n\x03\nWe\x03contracted\x03with\x03the\x03independent\x03public\x03accounting\x03firm\x03KPMG\x03LLP\x03(KPMG)\x03to\x03\nconduct\x03the\x03audit\x03of\x03Department\x03of\x03Homeland\x03Security\x03fiscal\x03year\x032013\x03consolidated\x03\nfinancial\x03statements.\x03The\x03contract\x03required\x03that\x03KPMG\x03perform\x03its\x03audit\x03according\x03to\x03\ngenerally\x03accepted\x03government\x03auditing\x03standards\x03and\x03guidance\x03from\x03the\x03Office\x03of\x03\nManagement\x03and\x03Budget\x03and\x03the\x03Government\x03Accountability\x03Office.\x03KPMG\x03is\x03\nresponsible\x03for\x03the\x03attached\x03management\x03letter\x03dated\x03March\x0311,\x032014,\x03and\x03the\x03\nconclusion\x03expressed\x03in\x03it.\x03\n\x03\nPlease\x03call\x03me\x03with\x03any\x03questions,\x03or\x03your\x03staff\x03may\x03contact\x03Sharon\x03Huiswoud,\x03Director,\x03\nInformation\x03Systems\x03Audit\x03Division,\x03at\x03(202)\x03254\xcd\xb25451.\x03\n\x03\nAttachment\x03\n\x03\n\x03\t                           \x03\n\n\n\n\n\x03\n\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\n\nInspector General,\nChief Information Officer and\nChief Financial Officer\nU.S. Department of Homeland Security\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards\ngenerally accepted in the United States of America and Government Auditing Standards, we considered\ninternal control over financial reporting (internal control) as a basis for designing our auditing\nprocedures for the purpose of expressing our opinion on the financial statements. In conjunction with\nour audit of the financial statements, we also performed an audit of internal control over financial\nreporting in accordance with attestation standards issued by the American Institute of Certified Public\nAccountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 11, 2013, included internal control deficiencies identified during our audit that, in aggregate,\nrepresented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level.\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to DHS\xe2\x80\x99 and components\xe2\x80\x99 financial systems\xe2\x80\x99 IT controls, we noted certain matters in the\nareas of security management, access controls, configuration management, segregation of duties, and\ncontingency planning. These matters are described in the Findings and Recommendations section of\nthis letter.\n\nThe Table of Contents identifies each section of the letter. We have provided a description of key DHS\nfinancial systems and IT infrastructure within the scope of the FY 2013 DHS financial statement audit\nin Appendix A, and a listing of each IT NFR communicated to management in Appendix B.\n\n\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cDuring our audit we noted certain matters involving financial reporting internal controls (comments not\nrelated to IT) and other operational matters, including certain deficiencies in internal control that we\nconsider to be significant deficiencies and material weaknesses, and communicated them in writing to\nmanagement and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a separate\nletter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to\nlight all weaknesses in policies or procedures that may exist. We aim, however, to use our knowledge\nof DHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be\nuseful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nDHS\xe2\x80\x99 response to the deficiencies identified in our audit is described in page 10 of this letter. DHS\xe2\x80\x99\nresponse was not subjected to the auditing procedures applied in the audit of the financial statements\nand, accordingly, we express no opinion on the response.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                                 Department of Homeland Security\n                      Consolidated Information Technology Management Letter\n                                        September 30, 2013\n\n\n                                     TABLE OF CONTENTS\n\n                                                                                            Page\nObjective, Scope, and Approach                                                               2\n\nSummary of Findings                                                                          4\n\nFindings and Recommendations                                                                 6\n\n   Deficiencies Related to GITCs                                                             6\n\n   Deficiencies Related to Financial Systems Functionality                                   7\n\n   Cause/Effect                                                                              8\n\n   Recommendation                                                                            9\n\nManagement Response                                                                          10\n\n\n                                           APPENDICES\n\nAppendix                                       Subject                                      Page\n           Description of Key Financial Systems and IT Infrastructure within the Scope of    11\n   A\n           the FY 2013 DHS Financial Statement Audit \n\n   B       FY 2013 IT Notices of Findings and Recommendations at DHS                         20\n\n\n\n\n\n                                                  1\n\n\x0c                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH \n\n\nObjective\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we performed an\nevaluation of selected general information technology (IT) controls (GITCs) and IT application controls\nat DHS Components to assist in planning and performing our audit engagement.\n\nScope\n\nThe scope of our GITC and IT application control test work is described in Appendix A, which provides a\ndescription of the key DHS component financial systems and IT infrastructure by DHS Component\nwithin the scope of the FY 2013 DHS consolidated financial statement audit.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office (GAO), formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\nx   Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n    managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n    of computer-related security controls.\n\n    x   In conjunction with our test work of security management GITCs, limited after-hours physical\n        security testing at select DHS Component facilities was conducted to identify potential control\n        deficiencies in non-technical aspects of IT security.\n\nx   Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n    equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\nx   Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n    system resources (software programs and hardware configurations) and provide reasonable assurance\n    that systems are configured and operating securely and as intended.\n\n    x   We performed technical information security testing for key DHS Component network and\n        system devices. The technical security testing was performed from within select DHS facilities\n\n                                                    2\n\n\x0c                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\n       and focused on production devices that directly support DHS\xe2\x80\x99 and Components\xe2\x80\x99 financial\n       processing and key general support systems.\n\nx   Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n    to manage who can control key aspects of computer-related operations.\n\nx   Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n    interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\nFinancial Systems Functionality\n\nIn recent years, we have noted that the DHS\xe2\x80\x99 financial system functionality may be inhibiting the\nagency\xe2\x80\x99s ability to implement and maintain internal controls, notably IT applications controls supporting\nfinancial data processing and reporting at some Components. At most Components, the financial systems\nhave not been substantially updated since being inherited from legacy agencies several years ago.\nTherefore, in FY 2013, we continued to evaluate and consider the impact of financial system functionality\nover financial reporting.\n\n\n\n\n                                                     3\n\n\x0c                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\n                                      SUMMARY OF FINDINGS\n\nDuring our FY 2013 assessment of GITCs and IT application controls, we noted that the DHS\nComponents made progress in the remediation of IT findings we reported in FY 2012. As a result, we\nclosed 62 (45 percent) of the prior year IT findings which were subject to follow-up procedures in FY\n2013. We also issued 32 new findings, which is a significant decrease compared to the 103 new findings\nin FY 2012.\n\nIn FY 2013, we issued 103 total findings, of which approximately 69 percent are repeated from last year.\nApproximately 35 percent of our repeat findings were for IT deficiencies that management represented\nwere corrected during FY 2013. The new findings in FY 2013 resulted both from additional IT systems\nand business processes within the scope of our audit this year and from control deficiencies identified in\nareas which were effective in previous years, and were noted at all DHS components. Customs and\nBorder Protection (CBP) and the Federal Law Enforcement Training Center (FLETC) had the greatest\nnumber of new findings. We also considered the effects of financial system functionality when testing\ninternal controls and evaluating findings. Many key DHS financial systems are not compliant with the\nfinancial management systems requirements of the Federal Financial Management Improvement Act of\n1996 and Office of Management and Budget (OMB) Circular Number A-127, Financial Management\nSystems, as revised. DHS financial system functionality limitations add substantially to the Department\xe2\x80\x99s\nchallenges of addressing systemic internal control weaknesses and limit the Department\xe2\x80\x99s ability to\nleverage IT systems to effectively and efficiently process and report financial data.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology guidance. The most significant weaknesses from a\nfinancial statement audit perspective continued to include:\n\n    1.\t Excessive unauthorized access to key DHS financial applications, resources, and facilities;\n    2.\t Configuration management controls that are not fully defined, followed, or effective;\n    3.\t Security management deficiencies in the areas of security authorization and role-based security\n        training;\n    4.\t Contingency planning that lacked current and tested contingency plans developed to protect DHS\n        resources and financial applications;\n    5.\t Lack of proper segregation of duties for roles and responsibilities within financial systems; and\n    6.\t Ineffective IT application controls.\n\nThe conditions supporting our findings collectively limited DHS\xe2\x80\x99 ability to ensure that critical financial\nand operational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these deficiencies negatively impacted the internal controls over DHS\xe2\x80\x99 financial\nreporting and its operation and we consider them to collectively represent a material weakness for DHS\nunder standards established by the American Institute of Certified Public Accountants and the U.S. GAO.\nThe IT findings were combined into one material weakness regarding IT Controls and Financial System\nFunctionality for the FY 2013 audit of the DHS consolidated financial statements. Specific results of\n\n                                                     4\n\n\x0c                                 Department of Homeland Security\n                      Consolidated Information Technology Management Letter\n                                        September 30, 2013\n\n\nGITC and IT application controls test work is provided in separate limited distribution IT management\nletters provided to component management and the Office of Inspector General.\n\nWhile the recommendations made by us should be considered by DHS, it is the ultimate responsibility of\nDHS management to determine the most appropriate method(s) for addressing the weaknesses identified.\n\n\n\n\n                                                  5\n\n\x0c                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\n                              FINDINGS AND RECOMMENDATIONS\n\n\nFindings\n\nIn FY 2013, a number of IT and financial system functionality deficiencies were identified at DHS. Our\nfindings, which were a cross-representation of GITC and financial systems functionality deficiencies\nidentified throughout the Department\xe2\x80\x99s Components, follow:\n\nDeficiencies Related to GITCs\n\nSecurity Management\n\nx   Required security authorization activities and supporting artifacts for key financial systems were not\n    always completed and documented.\n\nx   Controls to monitor compliance with requirements for role-based training for personnel with\n    significant information security responsibilities were not always consistently implemented, and\n    documentation of individuals subject to role-based training requirements was sometimes incomplete.\n\nx   Federal employees and contractors did not consistently adhere to DHS and Component policies,\n    guidance, and security awareness training concerning the protection of sensitive assets and\n    information from unauthorized access or disclosure.\n\nAccess Controls\n\nx\t Policies and procedures for key financial applications had not been developed to identify elevated\n   access at the application level.\n\nx\t Management of application, database, network, and remote user accounts was inadequate or\n   inconsistent.\n\nx\t Safeguards over logical and physical access to sensitive facilities and resources were not always\n   effective.\n\nx\t Generation, review, and analysis of system audit logs were not always adequate or consistent.\n\nx\t Access of authorized personnel to sensitive areas containing key financial systems was sometimes\n   more than needed, and data center access controls were not properly enforced.\n\nx\t Transferred and/or terminated employees were not always timely removed from financial systems,\n   and policies related to revocation of system access were not always implemented or finalized.\n\nConfiguration Management\n\nx\t Configuration management policies and procedures were not always documented.\n\n\n\n                                                    6\n\n\x0c                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\nx   Security patch management and configuration deficiencies were identified during the vulnerability\n    assessment on the platforms supporting the key financial applications and general support systems.\n\nx   Evidence to support authorized modifications to key financial systems was not always maintained.\n\nx   Monitoring controls were not always implemented for key financial systems to ensure the\n    completeness and integrity of records of implemented system changes.\n\nx   Management of administrator access to move IT system code within and between environments was\n    sometimes inadequate or inconsistent.\n\nSegregation of Duties\n\nx\t Implementation of segregation of duties for IT and financial management personnel with access to\n   financial systems across several platforms was inadequate or incomplete.\n\nContingency Planning\n\nx\t Service continuity plans were not always tested, and an alternate processing site was not established\n   for high risk systems.\n\nx\t Backup policies and procedures were inconsistently documented.\n\nx\t Backup parameters were not always properly implemented or managed.\n\nDeficiencies Related to Financial Systems Functionality\n\nWe noted many cases where financial system functionality was inhibiting DHS\xe2\x80\x99 ability to implement and\nmaintain internal controls, notably IT application controls supporting financial data processing and\nreporting. Financial system functionality limitations also contribute to other control deficiencies and\ncompliance findings presented in our Independent Auditor\xe2\x80\x99s Report. We noted persistent and pervasive\nfinancial system functionality conditions at all of the significant DHS Components in the following\ngeneral areas:\n\nx\t At one Component, IT systems have unique functionality issues due to numerous variables, most of\n   which were not within the control of the Component. Production versions of financial systems were\n   outdated and did not provide the necessary core functional capabilities. The Component had installed\n   extensive workarounds, redundant and overlapping systems, and numerous manual reconciliation\n   processes, as necessary to produce auditable financial statements. Some of these workarounds and\n   systems were installed as the only means to validate actual data in the various general ledgers, and\n   support the financial statements. In many cases, the IT systems were not designed to allow the\n   Component to install and use routine automated controls to assist with efficient, reliable, financial\n   processing.\n\nx\t At another Component, multiple financial IT systems continued to be impaired by functionality\n   limitations which prevent implementation of effective security controls. These limitations, which\n\n\n                                                   7\n\n\x0c                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\n    principally impact audit logging controls intended to monitor logical access and configuration\n    management activities, were being addressed through enterprise-wide solutions which were not fully\n    implemented at the time of our audit procedures. Additionally, certain feeder systems were operating\n    with outdated and unsupported system software components which exposed them to vulnerabilities\n    that cannot be mitigated.\n\nx   Several financial systems have limited capacity to process, store, and report financial and\n    performance data to facilitate decision making, safeguarding and management of assets, and prepare\n    financial statements that comply with Generally Accepted Accounting Principles.\n\nx   One financial system lacked the controls necessary to prevent or detect and correct excessive\n    drawback claims. Specifically, the programming logic for the system did not link drawback claims to\n    imports at a detailed, line item level.\n\nx   Technical configuration limitations, such as outdated systems that were no longer fully supported by\n    the software vendors, impaired DHS\xe2\x80\x99 ability to fully comply with policy in areas such as IT security\n    controls, notably password management, audit logging, user profile changes, and the restricting of\n    access for off-boarding employees and contractors.\n\nx   System capability limitations prevent or restrict the use of applications controls to replace less\n    reliable, more costly manual controls; or in some cases, required additional manual controls to\n    compensate for IT security or control weaknesses.\n\nx   Some IT subsidiary modules that could improve controls and reliability were not active due to various\n    system design and integrity reasons.\n\nx   Some IT system controls were not designed to prevent the receipt of goods and services in excess of\n    available funding.\n\nCause/Effect\n\nDHS management recognized the need to upgrade its financial systems. Until serious legacy IT issues are\naddressed and updated IT solutions implemented, compensating controls and other complex manual\nworkarounds must support its IT environment and financial reporting. As a result, DHS\xe2\x80\x99 difficulty\nattesting to a strong control environment, to include effective general IT controls and reliance on key\nfinancial systems, will likely continue.\n\nThe conditions supporting our findings collectively limit DHS\xe2\x80\x99 ability to process, store, and report\nfinancial data in a manner to ensure accuracy, confidentiality, integrity, and availability. Some of the\nweaknesses may result in material errors in DHS\xe2\x80\x99 financial data that were not detected in a timely manner\nthrough the normal course of business. In addition, because of the presence of IT control and financial\nsystem functionality weaknesses; there is added pressure on mitigating controls to operate effectively.\nBecause mitigating controls were often more manually focused, there is an increased risk of human error\nthat could materially affect the financial statements.\n\n\n\n\n                                                   8\n\n\x0c                                 Department of Homeland Security\n                      Consolidated Information Technology Management Letter\n                                        September 30, 2013\n\n\nRecommendation\n\nWe recommend that the DHS Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO), in coordination with DHS Component management, continue the Financial\nSystems Modernization initiative, and make necessary improvements to the Department\xe2\x80\x99s financial\nmanagement systems and supporting IT security controls.\n\nSpecific recommendations were provided in separate letters provided to DHS Component management.\n\n\n\n\n                                                9\n\n\x0c                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\n                                   MANAGEMENT RESPONSE\n\n\nThe DHS Office of Inspector General discussed our report with DHS management and reported that DHS\nmanagement concurs with the findings and recommendations described in this letter, and will continue to\nwork with Component management to address these issues.\n\n\n\n\n                                                  10\n\n\x0c                         Department of Homeland Security\n              Consolidated Information Technology Management Letter\n                                September 30, 2013\n\n\n\n\n                                Appendix A \n\nDescription of Key Financial Systems and IT Infrastructure within \n\n    the Scope of the FY 2013 DHS Financial Statement Audit \n\n\n\n\n\n                                       11\n\n\x0c                                                                                            Appendix A\n\n                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\nBelow is a description of key financial management systems and supporting IT infrastructure included in\nthe scope of the DHS FY 2013 financial statement audit.\n\nDHS Headquarters (Office of Financial Management / Office of the Chief Information Officer)\n\nDHS Treasury Information Executive Repository (DHSTIER)\n\nDHSTIER is the system of record for the DHS consolidated financial statements and is used to track,\nprocess, and perform validation and edit checks against monthly financial data uploaded from each of the\nDHS components\xe2\x80\x99 core financial management systems. DHSTIER is administered jointly by the OCFO\nResource Management Transformation Office and the OCFO Office of Financial Management and is\nhosted on the DHS OneNet at the Stennis Data Center in Mississippi (MS).\n\nCustoms and Border Protection (CBP)\n\nSystems, Applications, and Products (SAP) Enterprise Central Component (ECC)\n\nSAP is CBP\xe2\x80\x99s financial system of record. SAP is a major integrated client/server-based financial\nmanagement system implemented by CBP to manage assets (e.g., budget, logistics, procurement, and\nrelated policy) and revenue (e.g., accounting and commercial operations: trade, tariff, and law\nenforcement), and to provide information for strategic decision making. The SAP instance includes several\nmodules (including ECC 6.0, Intelligent Procurement, and Budget Tools) that provide system functionality\nfor Funds Management, Budget Control, General Ledger, Real Estate, Property, Internal Orders, Sales and\nDistribution, Special Purpose Ledger, and Accounts Payable functionality, among others. The SAP ECC\nfinancial management system was included within the scope of the FY 2013 financial statement audit. The\nBorder Enforcement and Management Systems (BEMS) Program Office and the Enterprise Data\nManagement and Engineering (EDME) Program Office own the SAP application, UNIX and Windows\noperating systems and Oracle database located in Virginia (VA).\n\nAutomated Commercial Environment (ACE)\n\nACE is the commercial trade processing system being developed and implemented by CBP to replace the\nAutomated Commercial System (ACS). The mission of ACE is to implement a secure, integrated,\ngovernment-wide system for the electronic collection, use, and dissemination of international trade and\ntransportation data essential to Federal agencies. ACE is a custom-developed, internet-facing, multi-tier\nsystem with high availability characteristics, and it processes sensitive data. ACE is being deployed in\nphases over several years. As a result, some financial modules will remain in the ACS operating\nenvironment until they can be developed and deployed in ACE. Since ACE was partially implemented\nduring FY2013, it was included within the scope of the FY 2013 financial statement audit. The Cargo\nSystems Program Office (CSPO), the Enterprise Networks and Technology Support (ENTS) Program\nOffice and the EDME Program Office own the ACE application, AIX operating system and DB2 database\nlocated in VA.\n\nAutomated Commercial System (ACS)\n\nACS is a collection of seven mainframe-based sub-systems used by the CBP to track, control, and process\n\n                                                   12\n\n\x0c                                                                                             Appendix A\n\n                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\ncommercial goods and conveyances entering the United States territory, for the purpose of collecting\nimport duties, fees, and taxes owed to the Federal government. ACS collects duties at ports, collaborates\nwith financial institutions to process duty and tax payments, and provides automated duty filing for trade\nclients, and shares information with the Federal Trade Commission on trade violations, illegal imports\nand terrorist activities. The ACS system was included within the scope of the FY 2013 financial statement\naudit. The CSPO and the ENTS Program Office own the ACS application and mainframe located in VA.\n\nDistrict of Columbia Metropolitan Local Area Network (DC Metro LAN)\n\nThe DC Metro LAN provides CBP\xe2\x80\x99s DC area employees and contractors user access to enterprise-wide\napplications and systems. The mission of the DC Metro LAN is to support the mission of CBP\noperational elements in the DC Metro LAN region of the organization. The boundary of the DC Metro\nLAN includes tools such as personal computers, laptop computers, printers and file/print servers which\nenable CBP officers and agents to interact with all other applications and systems in the CBP\nenvironment. The DC Metro LAN supports ACE, ACS, and SAP and provides authentication\nmechanisms that are used by SAP for single sign on capability; as a result, the DC Metro LAN was\nincluded within the scope of the FY 2013 financial statement audit. The Field Support (FS) Program\nOffice and the EDME Program Office own the DC Metro LAN located in VA.\n\nUnited States Coast Guard (USCG or Coast Guard)\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor the Coast Guard. CAS is hosted at the Coast Guard Finance Center (FINCEN) in VA. CAS interfaces\nwith the Financial and Procurement Desktop (FPD), also located at FINCEN. CAS is used by financial\nmanagement individuals as CAS is the main system of record for financial information. CAS has a\nHewlett-Packard (HP) UNIX operating system with an Oracle database, and the organizations responsible\nfor CAS are FINCEN, Coast Guard OCFO, and Coast Guard OCIO.\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD is interconnected with the\nCAS system and is located at the FINCEN in VA, and has an HP UNIX operating system and Oracle\ndatabase. The organizations responsible for CAS are FINCEN, Coast Guard OCFO, and Coast Guard\nOCIO.\n\nJoint Uniform Military Pay System (JUMPS)\n\nJUMPS is an IBM zOS mainframe application and database that is used for paying USCG active and\nreserve payroll and is mainly used by Pay and Personnel Center (PPC) employees. JUMPS is located at\nthe Burlington Northern Santa Fe data center in Kansas. The responsible organization for JUMPS is PPC,\nwhich falls under the purview of the Coast Guard OCIO.\n\n\n                                                   13\n\n\x0c                                                                                                Appendix A\n\n                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\nDirect Access\n\nDirect Access is the system of record for all functionality, data entry, and processing of payroll events for\nthe Coast Guard. Every Coast Guard employee is a user of the system. Employees may use Direct Access\nto correct their own personal information, such as address and beneficiaries. The main financial users use\nDirect Access to process payroll events and change personnel records such as pay scales. Up until June\n2013, Direct Access was maintained by IBM Application On Demand (IBM AOD) in the iStructure data\ncenter facility in Arizona (AZ) with an automated backup site located in a Qwest data center in VA.\nStarting in June 2013, Direct Access is maintained by Addx Corporation and is located in VA. Direct\nAccess is a PeopleSoft application residing on servers operating the Solaris and Windows Server 2000\noperating systems and is supported by an Oracle database. The responsible organization for Direct Access\nis the Office of the Chief Information Officer (OCIO).\n\nGlobal Pay (Direct Access II)\n\nGlobal Pay provides retiree and annuitant support services. Until June 2013, Global Pay was maintained\nby IBM AOD in the iStructure data center facility in AZ with an automated backup site located in a\nQwest data center in VA. Starting in June 2013, Global Pay is maintained by Addx Corporation and is\nlocated in VA. Global Pay is a PeopleSoft application residing on servers operating the IBM x Series\noperating system and is supported by an Oracle database. The responsible organization for Global Pay is\nthe Coast Guard OCIO.\n\nNaval and Electronics Supply Support System (NESSS)\n\nNESSS is one of four automated information systems that comprise the family of Coast Guard logistics\nsystems. NESSS is a fully integrated system linking the functions of provisioning and cataloging, unit\nconfiguration, supply and inventory control, procurement, depot-level maintenance and property\naccountability, and a full financial general ledger. NESSS is used by both financial and logistics\npersonnel across numerous Coast Guard locations. NESSS is located at the Operations Systems Center\n(OSC) in West Virginia, resides on servers operating the Microsoft Windows 2003 and HP/UNIX\noperating systems, and is supported by an Oracle database. The responsible organizations for NESSS are\nthe Office of Logistics Program Management and OSC, which act under the purview of the Coast Guard\nOCIO.\n\nAviation Logistics Management Information System (ALMIS)\n\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations,\nconfiguration management, maintenance, supply, procurement, financial, and business intelligence.\nAdditionally, ALMIS covers the following types of information: Financial, Budget, Planning, Aircraft &\nCrew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance Management\nInformation System, a subcomponent of ALMIS, functions as the inventory management/fiscal\naccounting component of the ALMIS application. The Aircraft Repair & Supply Center Information\nSystems Division in North Carolina (NC) hosts the ALMIS application. ALMIS is used by both financial\nand logistics personnel across numerous Coast Guard locations. ALMIS is located at the Aviation\nLogistics Center (ALC) in NC and has a HP UNIX operating system and a Haley database. The\nresponsible organization for ALMIS is ALC.\n\n                                                     14\n\n\x0c                                                                                           Appendix A\n\n                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\nUnited States Citizenship and Immigration Services (USCIS)\n\nFederal Financial Management System (FFMS)\n\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency\nfinancial transactions. It is used to create and maintain a record of each allocation, commitment,\nobligation, travel advance and accounts receivable issued. It is the system of record for the agency and\nsupports all internal and external reporting requirements. FFMS is a commercial off-the-shelf (COTS)\nfinancial reporting system, which has an IBM z/OS operating system and an Oracle database. It includes\nthe core system used by accountants, FFMS Desktop that is used by end-users, and a National Finance\nCenter (NFC) payroll interface. The FFMS mainframe component and servers are hosted at the DHS\nEnterprise Data Center (DC-2) located in VA. U.S. Immigration and Customs Enforcement (ICE) is the\nsystem owner and manages FFMS for USCIS.\n\nUSCIS Network (CIS1)\n\nCIS1 is the Active Directory Domain Services Platform used within the USCIS that contains all of\nUSCIS\xe2\x80\x99s Active Directory and Exchange resources. CIS1 is a part of the Enterprise Infrastructure\nServices accreditation boundary and all Active Directory information, including the Active Directory\ndatabase itself, is hosted on specified servers called Domain Controllers. These 52 Active Directory\nDomain Controllers are located throughout the country, with the majority of them being located in VA\nand Nebraska.\n\n\n\n\n                                                  15\n\n\x0c                                                                                                Appendix A\n\n                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\nFederal Emergency Management Agency (FEMA)\n\nIntegrated Financial Management Information System (IFMIS)\n\nIFMIS is the official accounting system of FEMA and maintains all financial data for internal and\nexternal reporting. IFMIS is comprised of five subsystems: Funding, Cost Posting, Disbursements,\nAccounts Receivable, and General Ledger. The application is a COTS software package developed and\nmaintained by Digital Systems Group Incorporated. IFMIS interfaces with the Payment and Reporting\nSystem (PARS), the Emergency Support System (ES), ProTrac, Smartlink (Department of Health and\nHuman Services [HHS]), Treasury Information Executive Repository (Department of the Treasury),\nSecure Payment System (Department of the Treasury), Grants Management System (Department of\nJustice), United States Coast Guard Credit Card System, Credit Card Transaction Management System\n(CCTMS), Assistance to Firefighters Grants, eGrants, and Enterprise Data Warehouse and Payroll\n(Department of Agriculture NFC). The IFMIS production environment is located in VA.\n\nPayment and Reporting System (PARS)\n\nPARS is a standalone web-based application. The PARS database resides on the IFMIS UNIX server and\nis incorporated within the certification & accreditation boundary for that system. Through its web\ninterface, PARS collects Standard Form 425 information from grantees and stores the information in its\nOracle 9i database. Automated scheduled jobs are run daily to update and interface grant and obligation\ninformation between PARS and IFMIS. PARS is located in VA.\n\nNon-Disaster Grant Management System (NDGrants)\n\nNDGrants is a web-based system that supports the grants management lifecycle and is used by external\nstakeholders and grantees, via a public Web site, to apply for grants and monitor the progress of grant\napplications and payments and view related reports, and by the FEMA Grants Program Directorate,\nProgram Support Division, via an internal Web site, for reviewing, approving, and processing grant\nawards. NDGrants interfaces with two other systems: FEMA\xe2\x80\x99s internal Integrated Security and Access\nControl System (ISAAC), a component of the Network Access Control System used for user\ncredentialing and role-based access; and the HHS Grants.gov system, used for publishing grant\nsolicitations and downloading applications. NDGrants is located in VA.\n\nEmergency Management Mission Integrated Environment (EMMIE)\n\nEMMIE is an internal Web-based grants management solution used by FEMA program offices and user\ncommunities directly involved in the grant lifecycle associated with the Public Assistance Grant Program\nand the Fire Management Assistance Grant Program. It is also designed to interface with other\ngovernment entities and grant and sub-grant applicants (e.g., states and localities). EMMIE provides\nfunctionality for public entities and private-non-profit entities to create and submit grant applications and\nfor FEMA users to review and award applications, generate and review relevant mission critical reports,\nprocess amendments, and conduct close-out activities. Interfaces exist between the EMMIE system,\nIFMIS, and ISAAC. EMMIE is located in VA.\n\n\n\n                                                     16\n\n\x0c                                                                                           Appendix A\n\n                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\nEmergency Support (ES)\n\nES is an internal FEMA application for pre-processing disaster-related financial transactions, including\nallocation, commitment, obligation, mission assignment, and payment requests from other internal and\nexternal systems. ES serves as the primary interface to IFMIS. It also allows FEMA users to process\ndisaster housing payments, perform payment recoupment, and conduct other administrative tasks. In\naddition to IFMIS, ES has interfaces to several other FEMA systems, including:\n\n    x\t ISAAC (organizational and personnel data and team setup);\n    x\t Emergency Coordination (incident and disaster declarations);\n    x\t Enterprise Coordination and Approvals Processing System (commitment and mission assignment\n       [obligation] requests);\n    x\t Hazard Mitigation Grants Program (allocation and obligation requests);\n    x\t Individual Assistance (payment and recoupment requests);\n    x\t Public Assistance (obligation and allocation requests);\n    x\t Automated Deployment Database (personnel data);\n    x\t Assistance to Firefighters Grants (obligation, invoice, and vendor requests);\n    x\t EMMIE (obligation requests);\n    x\t Mitigation Electronic Grants Management System (obligation requests); and\n    x\t CCTMS (expenditure requests).\n\nES is located in Virginia.\n\nTraverse\n\nTraverse is the general ledger application currently used by the National Flood Insurance Program (NFIP)\nBureau and Statistical Agent to generate the NFIP financial statements. Traverse is a client-server\napplication that runs on the NFIP Local Area Network (LAN) Windows server environment located in\nMaryland (MD). The Traverse client is installed on the desktop computers of the NFIP Bureau of\nFinancial Statistical Control group members and interfaces with a Microsoft Structured Query Language\ndatabase hosted on an internal segment of the NFIP LAN. Traverse has no known external system\ninterfaces.\n\nTransaction Recording and Reporting Processing (TRRP)\n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own (WYO)\ncompanies and the Direct Servicing Agent (DSA) for the NFIP. TRRP also supports the WYO program,\nprimarily by ensuring the quality of financial data submitted by the WYO companies and DSA to TRRP.\nTRRP is a mainframe-based application that runs on the NFIP mainframe logical partition in Connecticut.\nTRRP has no known system interfaces.\n\n                                                   17\n\n\x0c                                                                                               Appendix A\n\n                                   Department of Homeland Security\n                        Consolidated Information Technology Management Letter\n                                          September 30, 2013\n\n\nFederal Law Enforcement Training Center (FLETC)\n\nFinancial Accounting and Budgeting System (FABS)\n\nThe FLETC FABS application (also referred to as Momentum) is an all-in-one financial processing\nsystem. It functions as the computerized accounting and budgeting system for FLETC. FLETC provides\nfinancial management services to the Office of Intelligence and Analysis and the Office of Operations\nCoordination and Planning (IA&OPS) through a separately hosted Momentum environment, which was\ndeveloped to mirror the FLETC Momentum environment. The FABS system exists to provide all of the\nfinancial and budgeting transactions in which FLETC is involved. FABS system users are from all\nFLETC sites that input requisitions and managers that approve receipt of property and manage the\nproperty asset records and financial records for contracts, payments, payroll, and budgetary transactions.\nHosted on a Microsoft Server 2003 and Oracle Linux Server, the FABS application (Oracle Web Logic)\nand database (Oracle 10g) servers reside on the FLETC Glynco Administrative Network (GAN) in a\nHybrid physical network topology and are accessible from four sites: Georgia (GA), DC, New Mexico,\nand MD. The system owner and responsible office is the Finance Division Chief in the FLETC OCFO.\n\nGlynco Administrative Network (GAN)\n\nThe purpose of GAN is to provide access to IT network applications and services to include video and\nvoice teleconferencing to authorized FLETC personnel, contractors and partner organizations located at\nthe Georgia facility. It provides authorized users access to email, internet services, required applications\nsuch as Financial Management Systems, Procurement systems, Property management systems, Video\nconference, and other network services and shared resources. The GAN is located in GA and is owned\nand operated by the FLETC OCIO.\n\nUnited States Immigration and Customs Enforcement (ICE)\n\nFederal Financial Management System (FFMS)\n\nThe FFMS is a CFO designated financial system and certified software application that conforms to OMB\nCircular A-127 and implements the use of a Standard General Ledger for the accounting of agency\nfinancial transactions. It is used to create and maintain a record of each allocation, commitment,\nobligation, travel advance and accounts receivable issued. It is the system of record for the agency and\nsupports all internal and external reporting requirements. FFMS is a COTS financial reporting system,\nwhich has an IBM z/OS operating system and an Oracle database. It includes the core system used by\naccountants, FFMS Desktop that is used by average users, and a National Finance Center payroll\ninterface. The FFMS mainframe component and servers are hosted at DC-2 in VA. The ICE OCIO is\nresponsible for FFMS.\n\nICE Network (ADEX)\n\nThe ICE Network, also known as the ADEX E-mail System, is a major application for ICE. The ADEX\nservers and infrastructure for the headquarters and National Capital Area are located in MS and VA.\nADEX currently interfaces with the Diplomatic Telecommunications Service Program Office ICENet\nInfrastructure.\n\n                                                    18\n\n\x0c                                                                                            Appendix A\n\n                                  Department of Homeland Security\n                       Consolidated Information Technology Management Letter\n                                         September 30, 2013\n\n\nTransportation Security Administration (TSA)\n\nCore Accounting System (CAS)\n\nCAS is the core accounting system that records financial transactions and generates financial statements\nfor TSA. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in VA. CAS interfaces with other systems located\nat the FINCEN, including the Financial Procurement Desktop (FPD) and Sunflower. CAS is used by\nfinancial management individuals as CAS is the main system of record for financial information. CAS is\ncomprised of an HP UNIX operating system and an Oracle database.\n\nFinancial Procurement Desktop (FPD)\n\nThe FPD application is used to create and post obligations to the core accounting system. It allows users\nto enter funding, create purchase requests, issue procurement documents, perform system administration\nresponsibilities, and reconcile weekly program element status reports. FPD interfaces with the CAS\nsystem and is hosted at the FINCEN in VA. FPD is comprised of an HP UNIX operating system and an\nOracle database.\n\nSunflower\n\nSunflower is a customized third-party COTS product used for TSA and Federal Air Marshal Service\nproperty management. Sunflower interacts directly with the Office of Finance Fixed Assets module in\nCAS and interfaces with the FPD system. Sunflower is hosted at the FINCEN in VA. Sunflower is\ncomprised of a Red Hat Linux operating system and an Oracle database.\n\nElectronic Time Attendance and Scheduling (eTAS)\n\neTAS is an automated and standardized labor management solution. The system provides an automated\nmeans to schedule employee work and leave hours, record hours worked and not worked, and provide bi-\nweekly time records to TSA\xe2\x80\x99s payroll provider, the NFC. The system automates the workforce\nmanagement process to reduce the amount of time, effort, and associated cost required for entry of data.\neTAS is comprised of a Windows 2003 operating system and an Oracle database, and is located at DC-2\nin VA. The Office of Human Capital is responsible for eTAS.\n\n\n\n\n                                                   19\n\n\x0c                      Department of Homeland Security\n           Consolidated Information Technology Management Letter\n                             September 30, 2013\n\n\n\n\n                             Appendix B \n\nFY 2013 IT Notices of Findings and Recommendations at DHS \n\n\n\n\n\n                                    20\n\n\x0c                                                                                                                                   Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\n                   DHS Headquarters (Office of Financial Management / Office of the Chief Information Officer)\n\nFY 2013 NFR #                                        NFR Title                                         FISCAM Control Area    New     Repeat\n                                                                                                                              Issue    Issue\nCONS-IT-13-01   Security Awareness Issues Identified during After-Hours Physical Security Testing at    Security Management             X\n                DHS\nOCIO-IT-13-01   Inadequate Recertification of DC-2 Physical Access                                        Access Controls               X\nOCIO-IT-13-02   Backup Log Rotation Not Consistently Performed                                         Contingency Planning    X\nOCIO-IT-13-03   Inadequate Recertification of DHS Enterprise Data Center 1 Physical Access                Access Controls      X\n\n\n\n\n                                                                        21\n\n\x0c                                                                                                                                              Appendix B\n\n                                                           Department of Homeland Security\n                                                Consolidated Information Technology Management Letter\n                                                                  September 30, 2013\n\n\n                                                             Customs and Border Protection\n\n    FY 2013 NFR #1                                         NFR Title                                         FISCAM Control Area         New     Repeat\n                                                                                                                                         Issue    Issue\n     CBP-IT-13-01     Inappropriately Configured Password Parameters for SAP UNIX Operating System               Access Controls          X\n                      (OS)\n     CBP-IT-13-02     Audit Activity Logs Not Reviewed for SAP Oracle Database (DB)                              Access Controls                   X\n     CBP-IT-13-03     Lack of Review of SAP Windows OS Accounts                                                  Access Controls                   X\n     CBP-IT-13-04     Incomplete SAP UNIX OS Backups                                                          Contingency Planning        X\n     CBP-IT-13-05     Lack of Evidence of Review of SAP UNIX OS Audit Logs                                       Access Controls          X\n     CBP-IT-13-06     Lack of Review of ACS Application Audit Logs                                               Access Controls                   X\n     CBP-IT-13-07     Security Awareness Issues Identified during After-Hours Physical Security Testing at     Security Management                 X\n                      CBP\n     CBP-IT-13-08     Lack of Review of Developer Access to the ACS Production Application Data                  Access Controls                   X\n     CBP-IT-13-09     Inappropriately Configured ACE AIX OS Password Parameters                                  Access Controls          X\n     CBP-IT-13-10     Inappropriately Configured ACE DB2 Database Password Parameters                            Access Controls          X\n     CBP-IT-13-11     Lack of Functionality in the ACS                                                       Business Process Controls             X\n     CBP-IT-13-12     Lack of Review of ACE DB2 Database Accounts                                                Access Controls          X\n     CBP-IT-13-13     Lack of Annual Recertification of Mainframe Privileged Users                               Access Controls                   X\n\n\n\n\n1\n    NFR numbers CBP-IT-13-15, CBP-IT-13-21, CBP-IT-13-26, CBP-IT-13-27 and CBP-IT-13-32 were intentionally omitted from sequence.\n\n\n                                                                              22\n\n\x0c                                                                                                                             Appendix B\n\n                                                    Department of Homeland Security\n                                         Consolidated Information Technology Management Letter\n                                                           September 30, 2013\n\n\nFY 2013 NFR #                                       NFR Title                                    FISCAM Control Area    New     Repeat\n                                                                                                                        Issue    Issue\nCBP-IT-13-14    Incomplete Raised Floor Visitors Logs                                               Access Controls      X\nCBP-IT-13-16    Weaknesses in Creating New DC Metro LAN Accounts                                    Access Controls               X\nCBP-IT-13-17    Separated Personnel on SAP Application User Listing                                 Access Controls               X\nCBP-IT-13-18    Weaknesses in Creating New ACE Accounts                                             Access Controls               X\nCBP-IT-13-19    Weaknesses in Creating New ACS Accounts                                             Access Controls               X\nCBP-IT-13-20    SAP Configuration Baseline Weaknesses                                        Configuration Management    X\nCBP-IT-13-22    Separated Personnel on Mainframe User Listing                                       Access Controls               X\nCBP-IT-13-23    Weaknesses in Documenting New ACE User Accounts in the Development and       Configuration Management    X\n                Testing Environments\nCBP-IT-13-24    ACS Segregation of Duties Weaknesses over the Production Environment                Access Controls               X\nCBP-IT-13-25    Lack of Unique Account Identifiers for ACS                                          Access Controls      X\nCBP-IT-13-28    ACS Application Recertification Weaknesses                                          Access Controls      X\nCBP-IT-13-29    Audit Activity Logs Not Generated or Reviewed for SAP Windows OS                    Access Controls      X\nCBP-IT-13-30    Separated Personnel on DC Metro LAN User Listing                                    Access Controls               X\nCBP-IT-13-31    Separated Personnel on ACE Application User Listing                                 Access Controls               X\nCBP-IT-13-33    Contractor Separation Process Weaknesses                                          Security Management             X\nCBP-IT-13-34    Weaknesses over the Employee Separation Process                                   Security Management             X\n\n\n\n\n                                                                      23\n\n\x0c                                                                                                                                       Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\n                                                          United States Coast Guard\n\nFY 2013 NFR #                                        NFR Title                                          FISCAM Control Area       New     Repeat\n                                                                                                                                  Issue    Issue\n CG-IT-13-01    Lack of Consistent Contractor, Civilian, and Military Account Termination                  Access Controls                  X\n                Notification Process for Coast Guard Systems\n CG-IT-13-02    Weakness in Direct Access Audit Logs and Segregation of Duties                             Access Controls                  X\n CG-IT-13-03    Weakness in Direct Access Annual User Recertification                                      Access Controls                  X\n CG-IT-13-04    Security Awareness Issues Identified During Social Engineering Testing at Surface        Security Management                X\n                Forces Logistics Center\n CG-IT-13-05    Security Awareness Issues Identified during After-Hours Physical Security Testing at     Security Management                X\n                the Surface Forces Logistics Center, OSC, ALC, and FINCEN\n CG-IT-13-06    Access and Configuration Management Controls - Vulnerability Assessment                Configuration Management             X\n CG-IT-13-07    Weakness in JUMPS Annual User Recertification                                              Access Controls         X\n CG-IT-13-08    Weakness in NESSS Annual User Recertification                                              Access Controls                  X\n\n\n\n\n                                                                        24\n\n\x0c                                                                                                                                       Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\n                                            United States Citizenship and Immigration Services\n\nFY 2013 NFR #                                        NFR Title                                          FISCAM Control Area       New     Repeat\n                                                                                                                                  Issue    Issue\n CIS-IT-13-01   Security Awareness Issues Identified During Social Engineering Testing at USCIS          Security Management                X\n CIS-IT-13-02   Deficiencies in transferred/terminated employee exit processing                            Access Controls                  X\n CIS-IT-13-03   Security Awareness Issues Identified during After-Hours Physical Security Testing at     Security Management                X\n                USCIS\n CIS-IT-13-04   Weakness in CIS1 Password Complexity                                                       Access Controls         X\n CIS-IT-13-05   FFMS Vulnerability Weaknesses Impact USCIS Operations                                  Configuration Management             X\n\n\n\n\n                                                                        25\n\n\x0c                                                                                                                                            Appendix B\n\n                                                         Department of Homeland Security\n                                              Consolidated Information Technology Management Letter\n                                                                September 30, 2013\n\n\n                                                      Federal Emergency Management Agency\n\n    FY 2013 NFR #                                        NFR Title                                         FISCAM Control Area(s)      New       Repeat\n                                                                                                                                       Issue      Issue\n    FEMA-IT-13-01   Non-Compliance with Alternate Processing Site Requirements for Key Financial             Contingency Planning                  X\n                    Systems\n    FEMA-IT-13-02   Insufficient Audit Log Controls for Key Financial Systems                                  Access Controls                     X\n    FEMA-IT-13-03   Inconsistent Implementation of DHS Background Investigation Requirements for             Security Management                   X\n                    FEMA Federal Employees and Contractors\n    FEMA-IT-13-04   Incomplete Implementation of Role-Based Training for Individuals with Significant        Security Management                   X\n                    Information Security Responsibilities\n    FEMA-IT-13-05   Non-Compliant Security Authorization Package for NDGrants                                Security Management                   X\n    FEMA-IT-13-06   Non-Compliance with DHS and FEMA Password Requirements for Oracle Databases                Access Controls                     X\n                    Supporting Certain Financial Applications\n    FEMA-IT-13-07   Incomplete Exception Request for Password Controls on Oracle Databases Supporting        Security Management2                  X\n                    Certain Financial Applications\n    FEMA-IT-13-08   Security Awareness Issues Identified during After-Hours Physical Security Testing at     Security Management                   X\n                    FEMA\n    FEMA-IT-13-09   Weaknesses Identified during the Vulnerability Assessment on IFMIS                         Access Controls;                    X\n                                                                                                           Configuration Management\n    FEMA-IT-13-10   Weaknesses Identified during the Vulnerability Assessment on the NFIP LAN                   Access Controls;                   X\n                                                                                                           Configuration Management\n\n\n\n\n2\n NFR FEMA-IT-13-07 was reported in conjunction with FEMA-IT-13-06 as part of GITC deficiencies related to access controls in our Independent Auditors\xe2\x80\x99\nReport dated December 11, 2013.\n\n                                                                            26\n\n\x0c                                                                                                                                       Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\nFY 2013 NFR #                                        NFR Title                                         FISCAM Control Area(s)     New     Repeat\n                                                                                                                                  Issue    Issue\nFEMA-IT-13-11   Weaknesses Identified during the Vulnerability Assessment on Financially Significant   Configuration Management             X\n                Segments of the FEMA Enterprise Network and End-User Computing Environment\nFEMA-IT-13-12   Weaknesses Identified during the Vulnerability Assessment on EMMIE                     Configuration Management             X\nFEMA-IT-13-13   Weaknesses Identified during the Vulnerability Assessment on NDGrants                       Access Controls;                X\n                                                                                                       Configuration Management\nFEMA-IT-13-14   Non-Compliant Security Authorization Package for ES                                      Security Management                X\nFEMA-IT-13-15   Lack of Controls to Validate Completeness and Integrity of Changes Deployed to         Configuration Management             X\n                Production for EMMIE, NDGrants, and ES\nFEMA-IT-13-16   Incomplete Account Management Documentation for the EMMIE Application                      Access Controls         X\nFEMA-IT-13-17   Incomplete Account Management Documentation for NDGrants                                   Access Controls                  X\nFEMA-IT-13-18   Incomplete Account Management Documentation for ES                                         Access Controls                  X\nFEMA-IT-13-19   Excessive or Inappropriate Access to IFMIS                                                 Access Controls;                 X\n                                                                                                         Segregation of Duties\nFEMA-IT-13-20   Lack of EMMIE System Owner Approval for Database Accounts                                  Access Controls                  X\nFEMA-IT-13-21   Lack of ES System Owner Approval for Database Accounts                                     Access Controls                  X\nFEMA-IT-13-22   Lack of NDGrants System Owner Approval for Database Accounts                               Access Controls                  X\nFEMA-IT-13-23   Inconsistent Authorization of New and Modified IFMIS Application User Access               Access Controls                  X\nFEMA-IT-13-24   Lack of Adequate Configuration Management over Network Devices Supporting              Configuration Management             X\n                Financial Systems\nFEMA-IT-13-25   Inconsistent Activities and Incomplete Documentation Supporting Configuration          Configuration Management             X\n                Changes for the IFMIS Application\n\n\n\n\n                                                                        27\n\n\x0c                                                                                                                                 Appendix B\n\n                                                    Department of Homeland Security\n                                         Consolidated Information Technology Management Letter\n                                                           September 30, 2013\n\n\nFY 2013 NFR #                                       NFR Title                                    FISCAM Control Area(s)     New     Repeat\n                                                                                                                            Issue    Issue\nFEMA-IT-13-26   Inconsistent Review of IFMIS Audit Logs                                              Access Controls                  X\nFEMA-IT-13-27   Lack of Controls to Validate Completeness and Integrity of Changes Deployed to   Configuration Management             X\n                Production for the IFMIS Production Environment\nFEMA-IT-13-28   Non-Compliant Security Authorization Package for IFMIS                             Security Management       X\n\n\n\n\n                                                                       28\n\n\x0c                                                                                                                                Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\n                                              Federal Law Enforcement Training Center \n\n                                         and Intelligence & Analysis and Operations (IA&OPS) \n\n\nFY 2013 NFR #                                       NFR Title                                     FISCAM Control Area      New     Repeat\n                                                                                                                           Issue    Issue\nFLETC-IT-13-01   FLETC Momentum Audit Log Reviews not Consistently Maintained                        Access Controls        X\nFLETC-IT-13-02   Weakness in GAN Password Complexity                                                 Access Controls        X\nFLETC-IT-13-03   FLETC Momentum Account Management not Consistently Performed                        Access Controls        X\nFLETC-IT-13-04   Momentum Application Inactivity Lockout is not Appropriately Configured             Access Controls        X\nFLETC-IT-13-05   FLETC Contractor Separation not Fully Monitored                                     Access Controls        X\nIAOPS-IT-13-01   IA&OPS Momentum Audit Log Reviews not Consistently Performed in a Timely            Access Controls        X\n                 Manner\nIAOPS-IT-13-02   IA&OPS Segregation of Duties not Fully Enforced                                   Segregation of Duties    X\nIAOPS-IT-13-03   IA&OPS Momentum Account Management not Consistently Performed                       Access Controls                 X\nIAOPS-IT-13-04   Momentum Application Inactivity Lockout is not Appropriately Configured             Access Controls        X\nIAOPS-IT-13-05   IA&OPS Contractor Separation not Fully Monitored                                    Access Controls        X\nIAOPS-IT-13-06   Multiple Payment Vouchers can be Processed Against the Same Invoice          Business Process Controls     X\n\n\n\n\n                                                                      29\n\n\x0c                                                                                                                                       Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\n                                          United States Immigration and Customs Enforcement\n\nFY 2013 NFR #                                        NFR Title                                          FISCAM Control Area       New     Repeat\n                                                                                                                                  Issue    Issue\n ICE-IT-13-01   Weakness in FFMS Backup Documentation                                                    Contingency Planning      X\n ICE-IT-13-02   Security Awareness Issues Identified during After-Hours Physical Security Testing at     Security Management                X\n                ICE\n ICE-IT-13-03   Weakness in FFMS Segregation of Duties Relating to IT Functions                          Segregation of Duties     X\n ICE-IT-13-04   Weakness in implementation of procedures for transferred/terminated employee and           Access Controls                  X\n                contractor exit processing\n ICE-IT-13-05   Inadequate FFMS User Access Request Forms                                                  Access Controls                  X\n ICE-IT-13-06   FFMS network and servers were installed with default configuration settings and        Configuration Management             X\n                protocols\n ICE-IT-13-07   FFMS Mainframe Production databases were installed and configured without baseline     Configuration Management             X\n                security configurations\n ICE-IT-13-08   FFMS servers have inadequate patch management                                          Configuration Management             X\n ICE-IT-13-09   Weakness in ADEX Password Complexity                                                       Access Controls         X\n\n\n\n\n                                                                        30\n\n\x0c                                                                                                                                  Appendix B\n\n                                                     Department of Homeland Security\n                                          Consolidated Information Technology Management Letter\n                                                            September 30, 2013\n\n\n                                               National Protection and Programs Directorate\n\nFY 2013 NFR #                                        NFR Title                                         FISCAM Control Area    New     Repeat\n                                                                                                                              Issue    Issue\nNPPD-IT-13-01   Security Awareness Issues Identified During Social Engineering Testing at NPPD          Security Management             X\nNPPD-IT-13-02   Security Awareness Issues Identified during After-Hours Physical Security Testing at    Security Management             X\n                NPPD\n\n\n\n\n                                                                        31\n\n\x0c                                                                                                                                                 Appendix B\n\n                                                          Department of Homeland Security\n                                               Consolidated Information Technology Management Letter\n                                                                 September 30, 2013\n\n\n                                                        Transportation Security Administration\n\n    FY 2013 NFR #                                         NFR Title                                            FISCAM Control Area          New       Repeat\n                                                                                                                                            Issue      Issue\n    TSA-IT-13-01     Weakness in eTAS user recertification                                                         Access Controls                       X\n    TSA-IT-13-02     Weakness in eTAS password complexity                                                          Access Controls                       X\n    TSA-IT-13-03     Weakness in eTAS Restoration Testing of Backups                                            Contingency Planning                     X\n    TSA-IT-13-04     Weakness in eTAS review of audit logs                                                         Access Controls                       X\n    TSA-IT-13-05     eTAS System User Access                                                                       Access Controls                       X\n    TSA-IT-13-06     Security Awareness Issues Identified During Social Engineering Testing at TSA              Security Management                     X3\n                     Headquarters\n    TSA-IT-13-07     Physical Security and Security Awareness Issues Identified During After Hours              Security Management                     X3\n                     Testing at TSA Headquarters\n\n\n\n\n3\n FY 2012 NFR TSA-IT-12-01 was split into two findings for FY 2013 to report separately on the results of each set of enhanced information security testing\nprocedures performed at TSA.\n\n                                                                             32\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n   Appendix A\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Financial Officer\n   Chief Information Officer\n   Chief Information Security Officer\n   Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                                            OIG-14-94\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'